Splunk
If you forward data using a file targets and file forwarding mechanism, then check the permissions to the ‘log’ directory to make sure that the forwarder has the appropriate access to all the files there.
The logs are located in the directory: /opt/ihub/log. For the directory log, the permissions required are Read and eXecute and the logs require Read permission. The Splunk Forwarder will need to traverse the directory to search for the logs, therefore eXecute permission is required.
Depending on the setup, the permissions required can be different. For different setups, see the details below:
- Splunk running as root user – If Splunk is running as root user, then no changes will be required. The root user will have access to the files written by the Hub regardless of whether it is running as a root user or a non-root user.
- Hub and Splunk running as non-root user – If Hub is running as a non-root user then a group would have been created as per the previous section Installation steps for Linux. The non-root user can start and stop Hub and Configuration Tool services. The user running forwarding can be added to that group. Once this is done, the forwarding software should be restarted for the new permissions to take effect.
- Hub running as root but Splunk running as non-root user – If Hub is running as root user but the forwarding software is not, then the permissions for all users will need to be configured. A system admin will need to change the permissions on the log directory to have Read and eXecute access for OTHER (All Users). For example in Linux, ‘drwxrwxr-x’ where this can be done with the chmod command.